Last week I published two research reports on the hottest topic in PCI: Tokenization and Transaction Encryption.\u00a0 Part 1\u00a0was an introduction into the topic and Part 2\u00a0provided some action items for companies to consider during their evolution of these technologies. Respected security blogger Martin McKeay commented on Part 1.\u00a0 Serendipitously, Martin was also in Dallas (where I live) last week and we got an opportunity to chat in person about the report and other security topics.Martin\u2019s post highlighted several issues that deserve some response. He felt that I \u201cglossed over several important points people who are considering either technology need to be aware of.\u201d Let review those items:Comment: \u201cThis is one form of tokenization, but it completely ignores another form of tokenization that\u2019s been on the rise for several years; internal tokenization by the merchant with a (hopefully) highly secure database that acts as a central repository for the merchant\u2019s cardholder data, while the remainder of the card flow stays the same as it is now. \u201cResponse: Tokenization and Trans-E are huge topics that could command an entire book.\u00a0 The purpose of the reports was to provide an introduction into a very complicated issue. Our immediate goal was to provide a definition of the terms and issues and not to answer every potential question that our clients might have.\u00a0 Since Forrester clients are primarily interested in outsourcing their credit card processing in a manner which reduces their PCI scope, we, therefore, focused upon that type of tokenization.\u00a0 Clearly there will be multiple use cases for this type of technology and we will address the expansion of this research as needed.Comment: \u201cAnother criticism I have of the paper is that while it does a good job of explaining that true end to end encryption is from the POS to the acquiring bank, it doesn\u2019t do as good a job in explaining the complexities and pitfalls of point-to-point encryption (P2P).\u201dResponse: The debate on just what to call the type of encryption used in these solutions is both volatile and complex.\u00a0 For the purposes of this research we wanted to extract ourselves from the semantics of the debate and focus on the core concepts.\u00a0 This is why we used the term \u201cTransaction Encryption.\u201d\u00a0 All of the potential issues involving how encryption will be done \u2013 end-to-end or point-to point \u2013 is a lively topic that was not particularly useful for this particular research.\u00a0 The report does spend a fair bit of time introducing several of the transaction issues including the specific nomenclatures and the current status of various encryption standards bodies. The important thing we wanted to emphasize is that tokenization and transaction encryption are interrelated technologies that together can form a solution that increases security and eases the compliance burden.Thanks Martin for engaging in this dialog about this important topic.\u00a0 This type of discussion is important to all of the participants in payment card security and I hope others will jump into the debate.